Category Started On Completed On Duration Cuckoo Version
FILE 2015-03-25 21:24:55 2015-03-25 21:26:47 112 seconds 1.3-dev
Machine Label Manager Started On Shutdown On
windows Cuckoo VirtualBox 2015-03-25 21:24:57 2015-03-25 21:26:46

File Details

File name 42992f8332f9.png.exe
File size 2550272 bytes
File type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
CRC32 B4230261
MD5 ddc26b64355e0816df7f82a1710a70ea
SHA1 b5a8bd0e21c8b3dac64ec0dcb0702be77f9395e7
SHA256 a8fea02bb2f4fc66c03e22731b55f573fe4652c8ba53eae76e1a93cad6ea31d6
SHA512 10538d706d8855a8157014e18165dd7849e5ec188d123358eabf5a2b3a9c343f41244bb5af6e04fd71e8f2892eb5d1163cfa7ae0bd36e0c2cefcd2cc360ec34b
Ssdeep 49152:iBcJH9DfSwxErELxMDvqPEpzYqdfmVaHjiEYJ1S2cUDboibqIZcB:iBczbxMTzztfpGRJ1SxYvbqI
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

Signatures

Performs some HTTP requests
Lots of threads in other processes
Malfind detects an injected process
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Installs itself for autorun at Windows startup
PEB modified to hide loaded modules. Dll very likely not loaded by LoadLibrary
Malfind detects more than 3 injected processes
Stopped Firewall service
Stopped Application Layer Gateway service

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

39b77171-7033-49d4-8530-295879d112a9.rar

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

Files
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Windows\Microsoft.NET\Framework\\*
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\ADMINI~1\AppData\Local\Temp\42992f8332f9.png.exe.config
  • C:\Users\ADMINI~1\AppData\Local\Temp\42992f8332f9.png.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\index80.dat
  • C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
  • C:\Users
  • C:\Users\ADMINI~1
  • C:\Users\ADMINI~1\AppData
  • C:\Users\ADMINI~1\AppData\Local
  • C:\Users\ADMINI~1\AppData\Local\Temp
  • C:\Device\KsecDD
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Users\ADMINI~1\AppData\Local\Temp\42992f8332f9.png.INI
  • C:\Windows\assembly\pubpol1.dat
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
  • C:\Windows\system32\rsaenh.dll
  • C:\Program Files\Steam\ssfn*
  • C:\Program Files\Steam\config\*
  • C:\Program Files\Steam\browser\*
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
  • C:\Program Files\Steam\39b77171-7033-49d4-8530-295879d112a9.rar
  • C:\Windows\system32\tzres.dll
  • C:\Windows\system32\en-US\tzres.dll.mui
  • C:\Program Files\Steam\config\config.vdf
  • C:\Program Files\Steam\config\DialogConfig.vdf
  • C:\Program Files\Steam\config\loginusers.vdf
  • C:\Program Files\Steam\config\SteamAppData.vdf
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.INI
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\system32\en-US\KERNELBASE.dll.mui
  • Nsi
  • C:\DEVICE\NETBT_TCPIP_{0AA2F3F6-6018-4DD7-BF2C-BC83D878CD68}
  • C:\DEVICE\NETBT_TCPIP_{E29AC6C2-7037-11DE-816D-806E6F6E6963}
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
  • C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb
  • C:\Windows\symbols\dll\System.pdb
  • C:\Windows\dll\System.pdb
  • C:\Windows\System.pdb
  • C:\Users\ADMINI~1\AppData\Local\Temp\File228.pdb
  • C:\Windows\symbols\exe\File228.pdb
  • C:\Windows\exe\File228.pdb
  • C:\Windows\File228.pdb
Mutexes
  • 2115
  • DBWinMutex
Registry Keys
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\\v4.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\\default
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\42992f8332f9.png.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
  • Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
  • Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\9086dbd\18e7a77b
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\7ac727df\4c76d55c
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\7ac727df\4c76d55c\7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\77165922\6b6524e6\4
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\4c76d55c\14c565de\5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_USERS\S-1-5-21-4043008248-2851492338-1992526481-500_Classes
  • AppID\42992f8332f9.png.exe
  • HKEY_LOCAL_MACHINE\Software\Classes\AppID\42992f8332f9.png.exe
  • SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
  • Software\Policies\Microsoft\Cryptography
  • Software\Microsoft\Cryptography\Offload
  • Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_USERS\S-1-5-21-4043008248-2851492338-1992526481-500_Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
  • HKEY_CURRENT_USER\Software\Classes\steam\Shell\Open\Command
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.0.86.ICSharpCode.SharpZipLib__1b03e6acf1164f73
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.0.86.ICSharpCode.SharpZipLib__1b03e6acf1164f73
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\65dc48dd\5506e03a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4043008248-2851492338-1992526481-500\Installer\Assemblies\C:|Users|ADMINI~1|AppData|Local|Temp|42992f8332f9.png.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|ADMINI~1|AppData|Local|Temp|42992f8332f9.png.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|ADMINI~1|AppData|Local|Temp|42992f8332f9.png.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4043008248-2851492338-1992526481-500\Installer\Assemblies\Global
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_USERS\S-1-5-21-4043008248-2851492338-1992526481-500\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
  • Software\Microsoft\Cryptography
  • Software\Microsoft\Cryptography\DESHashSessionKeyBackward
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\159a66b8\5d94bc56\e
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\6faf58\34f474d5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\6faf58\34f474d5\d
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\10ac776b\6310c234\1e
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • Software\Microsoft\Tracing\42992f8332f9_RASAPI32
  • Software\Microsoft\Tracing\42992f8332f9_RASMANCS
  • HKEY_USERS\S-1-5-21-4043008248-2851492338-1992526481-500
  • HKEY_USERS\S-1-5-21-4043008248-2851492338-1992526481-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
  • System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
  • System\CurrentControlSet\Control\SecurityProviders
  • credssp.dll
  • System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • {0aa2f3f6-6018-4dd7-bf2c-bc83d878cd68}
  • SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{E29AC6C2-7037-11DE-816D-806E6F6E6963}
  • Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
  • Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
  • Software\Microsoft\Ole
  • System\CurrentControlSet\Services\DnsCache\Parameters
  • Software\Policies\Microsoft\Windows NT\DnsClient
  • System\CurrentControlSet\Services\DNS
  • System\Setup
  • SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
  • System\CurrentControlSet\Services\DnsCache\Parameters\DnsPolicyConfig
  • Software\Policies\Microsoft\System\DNSClient
  • SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{0AA2F3F6-6018-4DD7-BF2C-BC83D878CD68}
  • HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
  • HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server

Processes

registry filesystem process services network synchronization

42992f8332f9.png.exe PID: 2652, Parent PID: 2500

Volatility

Mutantscan Scanning the whole system for Mutexes (help)
Malfind Scanning for injections (help)
Apihooks Listing API hooks (help)
PSList Listing processes (help)
PSXView Listing hidden processes (help)
DllList Listing loaded DLLs (help)
Handles Listing handles (help)
Callbacks Listing registered callbacks (help)
Messagehooks Registered Messagehooks (help)
Getsids Sids (help)
Privs Privileges (help)
Ldrmodules Listing hidden and loaded DLLs (help)
Devicetree Listing devices and drivers (help)
Svcscan Scanning for services (help)
Modscan Scan for (hidden) kernel drivers (help)
IDT Listing IDTs (help)
Timers Listing timers (help)